When the Internal Audit Department reviews a business process in a campus unit, it is seeking the answers to two critical questions: What is the process trying to achieve (overall objectives), and how does the unit ensure the process works as intended (control objectives)?
Auditors often receive straight-forward responses to the first question, such as:
- Timesheets are completed as required by University policy
- Travel reimbursements are submitted in a timely manner
- Necessary supplies are ordered and received properly
For question two, the responses are less clear, such as:
- The department admin collects timesheets and files them
- The office submits the reimbursements to the Travel Office within 30 days
- Faculty members send an email requesting supplies and they are stored in a locked cabinet
Tom York, director of internal audit, noted the key to responding to question two comes down to the difference between a business process step and an internal control activity.
“A process step is a task, activity or other event within the process that moves an input closer to the final objective,” explained York. “An internal control activity is a critical step within the process that leads to success of the entire process.”
A process can have many steps. For example, consider what is required to get a grant proposal submitted, and how few of them are internal control activities.
An internal control activity ensures one or more of the following desired results:*
- Authorization (actions are approved by a properly designated official)
- Accuracy (information presented is checked and verified)
- Completeness (information presented contains all required elements)
- Existence (the entity or asset involved is currently active and accounted for)
- Valuation (currently valid rates and prices are being used)
- Classification (information or asset is assigned to currently valid class or group)
- Timeliness/Cutoff (information is being submitted within time period required or expected)
- Segregation of duties (key tasks are assigned to different individuals)
- Safeguarding of assets (physical or logical security is established and maintained for asset)
Using the above as a guide, better answers to question two would be:
- Supervisors review timesheet submissions monthly to ensure they were completed on time
- Supervisors review and approve all travel reimbursements for accuracy before submission to the Travel Office
- Department admin staff matches the purchase order, invoice and receiving slip before marking the supply as received in 49er Mart
As units review the tasks and control activities within their processes, employees should consider whether what they think is a control actually works as a control activity. The control should mitigate the risk that the process fails to achieve its objective, and it should provide the process owner an assurance that “the right things are completed the right way.”*
There are several training resources available on the subject of internal controls. The Financial Management Guidelines published by the Controller’s Office has a section on internal controls. A brief training module on internal controls is listed under “Resources” on the Controller’s Office website, and there is a short presentation on the Internal Audit Department website on internal controls.
*Raven Catlin (ravenglobaltraining.com),“Benefits and Challenges of Risks Based Auditing”, March 2014.